Understand About Vishing And Smishing Exploit - New Technique You MUST Know
Phishing attempts usually come through email or instant messaging. The victim receives an email or instant message with a spoofed sender field, containing a message requiring an instant response. The fraudulent email or instant message contains a link directing the victim to a fake website where they usually enter a personal piece of information, such as a password, their work login credentials, or other identifying information.
While phishing existed long before the Internet, our capacity to engage with social media, connect with people through email, and generally place trust in online systems we don’t fully understand (including banking) has curated a golden period for would-be scammers. Their Midas touch continues with the “introduction” of vishing and smishing exploits.
A vishing attack usually has a primary goal of extracting banking details, or other important personal information from the victim, and are usually completed by automated dialing and voice synthesizing equipment. However, there are increasing reports of human operators pressing their victims to part with their details. Vishing attacks are usually very difficult to trace, even more so with the advent of extremely cheap Voice-over-IP (VoIP) services and automated services.
One common attack technique involves the victim simply answering the attackers call. They then hear the spiel the scammer has decided to use, usually involving an immediately actionable request involving their credit card, or unusual banking activity. The victim is then provided with a spoofed phone number to call.
One of two things now occur. Either:
Depending on the scam and the bank, victims may recover some of their lost funds, but this by no means guaranteed. Some banks, however heartless it may appear to be, reject claims of this nature as the victim has acted with “gross negligence” by not assuring their own banking security.
The SMS usually contains a similar message, too, with attackers posing as banking administrators or officials to deliver a warning of a compromised credit or debit card, an account, or an identity. The victim is then encouraged to follow the compromised link or phone number included in the message, where the victim reveals the specified information to the fraudsters.
SMS phishing victims are not always exposed by a banking scam, as you can see in the above Tweet. That is a sample of the Smishing campaign currently underway, taken from my home-town. Similarly, in 2012 a large number of US citizens received an SMS containing text along the lines of:
Personal details aren’t always the primary goal. Some smishing campaigns focus on installing malware on the victim’s phone for a sustained data collection attack, preferring to gather more information over a longer period of time, while the victim remains painfully unaware.
While phishing existed long before the Internet, our capacity to engage with social media, connect with people through email, and generally place trust in online systems we don’t fully understand (including banking) has curated a golden period for would-be scammers. Their Midas touch continues with the “introduction” of vishing and smishing exploits.
Vishing
Voice phishing, referred to as Vishing, is a common electronic fraud technique seeing an increase in usage. It largely relies on the victim’s tendency to place trust in the sanctity of a landline versus other communication platforms, such as their mobile phone, or email.A vishing attack usually has a primary goal of extracting banking details, or other important personal information from the victim, and are usually completed by automated dialing and voice synthesizing equipment. However, there are increasing reports of human operators pressing their victims to part with their details. Vishing attacks are usually very difficult to trace, even more so with the advent of extremely cheap Voice-over-IP (VoIP) services and automated services.
One common attack technique involves the victim simply answering the attackers call. They then hear the spiel the scammer has decided to use, usually involving an immediately actionable request involving their credit card, or unusual banking activity. The victim is then provided with a spoofed phone number to call.
One of two things now occur. Either:
- The victim will be met with an automated voice system requiring the victim to enter their credit card, debit card, or other banking details, along with their PIN numbers and other personal identifiers, or
- When the victim initially hangs up the phone to make a call to their bank, the fraudster does not. This keeps the line open and connected to the fraudster. The victim may then hear a spoofed dialing tone, followed by the scammer “answering” the phone. They then act as a bank official, requesting details from the victim for later use, or to funnel funds from one account into a new, “secure” account.
Depending on the scam and the bank, victims may recover some of their lost funds, but this by no means guaranteed. Some banks, however heartless it may appear to be, reject claims of this nature as the victim has acted with “gross negligence” by not assuring their own banking security.
“HSBC has refused to refund the money, arguing that the couple’s real bank cards (not a clone) and the correct pins were used and that, therefore, they have breached the bank’s terms and conditions and were grossly negligent.”And while the above instance applies to lost and stolen bank cards, monetary loss through vishing fraud is still a legal gray area, with the banks arguing that some of the liability must be placed upon the victim to actively protect their own interests, despite concerted efforts by scammers.
Smishing
“SMiShing”, the portmanteau of SMS and phishing, is the act of using SMS messaging to defraud an individual. Smishing techniques are relatively analogous to phishing and vishing. The victim receives a text message purporting to be from a reliable, trustworthy source.The SMS usually contains a similar message, too, with attackers posing as banking administrators or officials to deliver a warning of a compromised credit or debit card, an account, or an identity. The victim is then encouraged to follow the compromised link or phone number included in the message, where the victim reveals the specified information to the fraudsters.
SMS phishing victims are not always exposed by a banking scam, as you can see in the above Tweet. That is a sample of the Smishing campaign currently underway, taken from my home-town. Similarly, in 2012 a large number of US citizens received an SMS containing text along the lines of:
“Dear Walmart shopper, Congratulations you have just won a $1000 Walmart Gift Card. Click here to claim your gift. www.fraudulentwebsiteaddress.com (cancel: STOP)”This scam used Walmart’s popularity to lure victims into clicking the link, where they were then asked a series of personally identifying questions, culminating in a straight-up request for credit or debit card details.
Personal details aren’t always the primary goal. Some smishing campaigns focus on installing malware on the victim’s phone for a sustained data collection attack, preferring to gather more information over a longer period of time, while the victim remains painfully unaware.
Comments
Post a Comment